Data Processing Agreement
Data Processing Agreement structured under GDPR Article 28. Bracketed fields are completed by the parties at signing.
1. Parties
Controller (Customer):
Legal name: [CUSTOMER LEGAL NAME]
Address: [ADDRESS]
Tax / registration number: [TAX NUMBER]
Representative: [CONTACT PERSON]
Email: [EMAIL]
Processor (Apex Web):
Legal name: Tokar Adam sole trader (Apex Web)
Address: Szolos utca 4/1, 5700 Gyula, Hungary
Tax number: 92003747-1-24
Email: info@apexweb.hu
Phone: +36 30 241 1366
2. Subject matter and duration
This Agreement governs the processing of personal data carried out by Apex Web on behalf of the Controller in connection with the AI chatbot and/or AI voice receptionist service (the "Service"), pursuant to Article 28 of Regulation (EU) 2016/679 (GDPR).
The Agreement is effective for the duration of the active subscription between the parties. It terminates automatically upon expiry or termination of the subscription, unless otherwise agreed in writing.
3. Nature and purpose of processing
The Processor acts on behalf of the Controller and carries out the following activities:
- Operating an AI chatbot on the Controller's website: receiving conversations, generating responses, storing lead data.
- Operating an AI voice receptionist: answering inbound calls, producing transcripts, recording lead data.
- Temporary storage of interaction logs for quality assurance and debugging purposes.
Processing is limited strictly to purposes necessary to deliver the Service. The Processor shall not use the data for its own purposes.
4. Categories of data subjects and personal data
Data subjects: end users of the Controller, such as patients, guests, and prospective customers who interact with the chatbot or voice receptionist.
Categories of personal data:
- Identification data: name, phone number, email address (where provided by the data subject).
- Communication content: chat message text, transcripts of voice call recordings.
- Technical metadata: timestamp of interaction, channel used.
Processing of special categories of data (health, biometric, etc.) requires separate written authorisation from the Controller.
5. Instructions from the controller
The Processor shall process personal data only on the documented, written instructions of the Controller. If the Processor considers that an instruction infringes the GDPR or other applicable law, it shall promptly inform the Controller and may refuse to execute the instruction.
6. Confidentiality
The Processor ensures that all personnel authorised to process personal data are bound by confidentiality obligations, whether by contract or by statute, and that they access data only to the extent necessary to perform the Service.
7. Security measures (Article 32 GDPR)
The Processor implements the following technical and organisational measures to protect personal data:
- Encryption in transit: TLS 1.2 or higher for all data transfers.
- Encryption at rest: applied on the cloud platforms used by the Processor and its sub-processors.
- Access controls: data is accessible only to authorised personnel on a need-to-know basis.
- Logging: access and processing events are recorded in system logs.
- Regular security reviews and timely application of updates and patches.
8. Sub-processors
The Controller grants general written authorisation for the Processor to engage the sub-processors listed in the Annex below. The Processor shall notify the Controller of any intended change to the list of sub-processors, giving sufficient prior notice for the Controller to object. The Processor shall impose equivalent data protection obligations on each sub-processor by contract.
The full sub-processor list is set out in the Annex at the end of this Agreement.
9. Assistance with data subject rights
The Processor shall assist the Controller, by appropriate technical and organisational measures, in fulfilling its obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, portability, objection, restriction). Where a data subject contacts the Processor directly, the Processor shall forward the request to the Controller without undue delay.
10. Personal data breach notification
The Processor shall notify the Controller of a personal data breach without undue delay after becoming aware of it, providing the Controller with enough information to meet its 72-hour reporting obligation to the supervisory authority. The notification shall include at minimum: the nature of the breach, categories and approximate number of data records concerned, likely consequences, and measures taken or proposed to address the breach.
11. Audit rights
The Controller has the right to audit the Processor's data processing activities, including on-site inspections. The Processor shall cooperate and make all relevant information available. Audits should be announced at least 10 working days in advance unless an emergency requires otherwise.
12. Deletion or return of data upon termination
Upon termination of the Service, the Processor shall, at the Controller's choice, delete or return all personal data processed on behalf of the Controller, and provide written confirmation of completion. Deletion applies to sub-processors as well, unless applicable law requires continued retention.
13. International data transfers
Some sub-processors (including OpenAI, Vapi, ElevenLabs, Telnyx, Soniox) operate outside the European Economic Area, primarily in the United States. Transfers are based on the European Commission-approved Standard Contractual Clauses (SCC) and/or the EU-US Data Privacy Framework (DPF). The applicable transfer mechanism for each sub-processor is indicated in the Annex.
14. Governing law
This Agreement is governed by the laws of Hungary and applicable EU regulation, including the GDPR. Disputes shall be referred to the competent Hungarian courts, unless otherwise agreed.
15. Signatures
The parties accept this Agreement as a binding contract as of the date indicated below:
Controller
Name: [CUSTOMER LEGAL NAME]
Date: [DATE]
Signature / company stamp
Processor
Name: Tokar Adam (Apex Web)
Date: [DATE]
Signature
Annex: Sub-processor list (Article 28 GDPR)
The following sub-processors are engaged by Apex Web in delivering the Service:
| Sub-processor | Purpose and role | Location / Transfer basis |
|---|---|---|
| Supabase | Database and backend: storage of leads, conversations, and bookings | EU (Frankfurt); no SCC required |
| OpenAI | AI language model powering chatbot and voice receptionist responses | USA; SCC / DPF |
| Vapi | Voice infrastructure and call handling for the AI receptionist | USA; SCC |
| ElevenLabs | Text-to-speech (TTS) for the AI receptionist voice | USA; SCC |
| Telnyx | Telephony: connecting inbound and outbound calls | USA / EU; SCC |
| Soniox | Speech-to-text (STT): converting call audio to text | USA; SCC |
| Resend | Sending email notifications | USA / EU; SCC |
| Netlify, Inc. | Web hosting and form processing | USA; SCC |
| Google LLC | Analytics (Google Analytics GA4) and tag management (GTM) | USA; DPF / SCC |
| Meta Platforms, Inc. | Advertising measurement (Facebook Pixel) | USA; DPF / SCC |
| TikTok Technology Limited | Advertising measurement (TikTok Pixel) | EU (Ireland) / USA; SCC |
| Stripe | Payment processing (subscriptions) | USA / EU; DPF / SCC; PCI-DSS compliant |